Disguised Exploits Slip Past Security

Your antivirus or security suite should protect against attacks that exploit system vulnerabilities. However, an NSS Labs test revealed that cyber-crooks can slip exploits past some security products using simple, standard evasion techniques.

Last week NSS Labs reported the results of a test involving 13 widely-used consumer security products. The test specifically examined each product's ability to resist Web-based exploits—attacks that take advantage of a flaw in the browser, the operating system, or a common application. Kaspersky earned the best score, with 92.2 percent of exploits blocked, but over half of the tested products blocked fewer than two-thirds of the exploits.

This week's report expands on that previous test, looking specifically at techniques used by cyber-criminals to evade detection. Most of the products proved vastly more successful than in a similar test in 2010.

To start, researchers gathered a collection of exploits that were successfully detected by all of the products in their unmodified form. They applied a number of different evasion techniques to each and tested whether each product detected and blocked download of the modified sample. For those that didn't block the download, they tested whether it blocked execution of the downloaded sample.

Evasion TechniquesCyber-crooks want to get their exploits past your protection, and they'll try all kinds of ways to make that happen. Some evasion techniques involve using compression techniques on Web page content, encoding the page's URL, or modifying a page so it displays fine in the browser but looks very different at the HTML code level. All of the tested products saw through these evasion techniques, preventing download of the exploits.

All products also blocked malicious exploit payloads that were encoded using simple types of encryption. However, the majority didn't block compressed payloads. According to the report, "The choice of a default configuration that does not inspect compressed downloads is typically a tradeoff between performance and security."

Packing is another kind of compression in which the program unpacks itself at run time. Packers exist to make legitimate downloads smaller, but they also serve to tweak malicious payloads so that simple detection techniques miss them. Avast!, AVG, McAfee, Microsoft, and Norton prevented downloading of all packed payloads; the other products missed some or all of them.

Block on ExecutionNSS Labs recommends that security products block download of all malicious payloads even if it takes a little extra time to examine those that are compressed or otherwise obfuscated. However, if the exploit can't execute, it can't do any harm. That's where things get interesting.

ESET and Kaspersky only blocked downloads packed with three of the four packing tools used in this test, and Panda only blocked those packed with one of the four. Failing to block the download isn't terrible, but all three products missed the same packed exploits at execution time, and that's pretty bad.

Missing a specific evasion technique is a lot more significant than missing a specific malware sample, notes the report. When a product can't handle a particular technique, "any number of exploits or malware can be easily modified to slip past security products."

Results and RecommendationsKaspersky was the big winner in the overall exploit test, with 92.2 percent blocking, but it's one of just three products that failed to block execution for 100 percent of samples in the evasion test. This time around Microsoft topped the chart, with 100 percent blocking of all samples at download time.

You can view the full report on the NSS Labs website. The report advises that if yours is one that doesn't inspect compressed downloads you should contact the vendor and find out how to turn on scanning of compressed downloads. It also strongly advises keeping up to date with all security patches.

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips...
More »